A story of how professional hackers have targeted weaknesses in two-factor authentication systems makes a great example of how the bad guys orchestrate attacks, practice good IT Governance practices, and thus execute a “continuous improvement process” as prescribed by most frameworks for System Development Lifecycle Controls. In a chilling way, the story also functions as a business case for acquiring such an asset. This article will walk through an attack using applications designed by the organized cyber-crime ring called “The Zeus Group.”
Think about it. A group of entrepreneurs, unethical as they were, decided to give up guns and bullets and bring crime into the 21st Century. These people were competitive, and hired the best minds they could find to develop an approach that would yield benefits while properly managing risks. Now this story needs to take a little side-trip, because these people are now hacking into what we good guys very recently proudly hailed as a “Strong Control.” And, it might help if you understand this Strong Control.
When we security professionals say “two-factor authentication,” we assume you know that there are three different factors of authentication available to us:
- What-you-know (wyk): The WYK factor credentials includes user names, passwords, and personal indentification numbers (PINs). Combination locks are what-you-know. What-you-know credentials are often called “login credentials.”
- What-you-have (wyh): Examples of WYH factor credentials includes keys, tokens, IP Addresses, phone numbers . . . . something that you HAVE in your possession at the time of authentication.
- Who-you-are (wya): The WYA factor usually conjures images from James Bond movies, including your thumbprint and handprint scanners (biometrics), retina scanners, and the spacing habits in the way you type (biopassword).
Two-factor authentication combines more than one of the above three factors. Your ATM card is a what-you-have authentication credential. The PIN is the other factor. The fact that you have two factors substantially increases the number of permutations a spoofer would need to spoof, and thus lowers the likelihood of a spoof attack. Alas, two-factor authentication strengthens authentication, a worthy goal for all.
On-line, organizations can use “out-of-band” communication channels to implement “what-you-have” authentication. The easiest form of this is a “call-back” policy for risky transactions. We can do that, only after we call you at one of the numbers we have on file. Then what you have is a phone number. And nowadays, with everybody owning cell phones, that becomes very easy. Google uses a “Google Authenticator” to serve this purpose. (See image to the left). Facebook also requires this form of two-factor authentication for certain types of transactions. If you own a cell phone, and you haven’t already run into this, you will, most likely within the next year. But there are vulnerabilities with this, in real dollars and cents!
Banks are also now relying on mobile devices as a what-you-have credential. So if you forget your password, the bank can send a text message to your cell that includes a one-time-only password (OTP), often referred to as a “secret code” or an “authentication code.” You then enter that code into the website and, since you have a second factor of authentication, the application will let you proceed to the next phase of the authentication process, which ranges from direct access to the application to additional layers of what-you-know authentication such as challenge questions.
More prevalent, some banks are committing to two-factor authentication as a standard requirement prior to conducting risky transactions. Most typical is the callback in order to reset your password (deemed a high-risk transaction in most risk assessments.) Or, if you want to transfer money from your bank account to another bank account, we can assist you without the use of human beings by requiring two-factor authentication. You have already logged in, and now we just have you use an OTP to get to the money transfer dialog screen.
It is this automated two-factor authentication that The Zeus Group exploits.
Zitmo is “Zeus in the Mobile” and it is an orchestrated attack on confirmation SMS messages sent from banks to mobile phones. To understand what Zitmo does, you need to understand what Zeus does. Zeus has taken many forms over the past few years, and the best way to quickly describe it to non-technical people is to simply say it is a “suite of applications” designed to orchestrate cyber-attacks on specific targets. There is a Bank Version of Zeus, meaning that there is an application dedicated to the daunting task of breaking a bank’s information security program. For this article, I will focus solely on the bank-version of Zeus.
Zeus comes with access to a network of “zombies,” which are computers (laptops, desktops, and now mobile devices) that have already been compromised (or acquired) using various attack vectors created and managed by the makers of Zeus. The attacker uses traditional Zeus malware to compromise the login credentials (what-you-know) of the victim’s on-line banking account, and of course compromise the victim’s computer. The Zeus application itself allows the target to take control of the victim’s machine at opportune times, such as when the victim is at work or asleep. The Zitmo software is then used to steal the what-you-have credentials sent to the user’s cell phone, and then implement the high-risk transaction. But before this can happen, the attacker also needs to capture the victim’s cell phone number and the model of the mobile device. How does that work?
Well, an additional module of the Zeus application available for purchase, will allow the attacker to put HTML forms in the victim’s browser that require population of the cell number and model information. In an elaborate scam focused solely on the user, the attacker eventually gets the user to download malware onto his/her cell phone. Through enticing offers, based on what the hacker learns thanks to indiscriminate friending on Facebook, or other social engineering attack vectors designed to capture information about the victim’s likes and dislikes, the attacker gets the user to install mobile malware on their cell phone. As just one example of how this works, the attacker friends the victim on Facebook, and sees by a variety of posts and comments that the victim is an avid Bears Fan. So the attacker texts the victim an offer for a free Chicago Bears Fight Song jingle that also includes a dancing bear video . . . and the Zitmo malware. Once the attacker has the victim’s cell number and the model of the cell phone, the attacker can install malware that will divert, intercept, or forward text messages sent to the victim’s phone.
Now it’s just a matter of logging back into the on-line banking site using the stolen login credentials, from the victim’s compromised computer, of course, and then clicking on the money transfer function. The bank sends a text message to the user’s mobile device with the authentication code. The malware on the cell phone forwards the text message to another system that has been compromised using the traditional Zeus software. The attacker gets this authentication code and, bingo, the money is transferred to a mule who is paid handsomely to properly launder the money.
These orchestrated attacks are so sophisticated it’s almost mind boggling. In order for the malware to work, the Zitmo application has as many versions of the malware as there are “typical American cell phones.” Think about it, the attacker does not want to have to spend a lot of time testing, to make sure the malware is working on the cell phone of the target, especially after everything the attacker has gone through in order to get this far. Fortunately for the hacker, the Zitmo application designers thought this one through. The attacker merely needs to keep the Zitmo application up-to-date with the latest patches, and most American cell phone models will be covered.
Good application design includes appropriate error checking and status messaging. And the Zitmo application does not escape the need to comply with system design lifecycle best practices. So, in order to ensure appropriate compliance, the malware actually sends status messages via text messaging from the victim’s cell phone to a number programmed into the Zitmo application by the attacker. That way the attacker can get up-to-date status messages on the various compromised cell phones. These messages usually relate to the state of the malware installation. The actual verbiage of a message captured from a bad guy using Zitmo was as follows:
“”27/09/2010″,”12:09″,”Short message”,”Outgoing”,”App installed ok”,”+44778xxxxxxx.”
The +44778xxxxxx part of that message doesn’t make sense to me, but it doesn’t have to. It might be the version of the Zitmo application, or some code for other capabilities based on an assessment of the cell phone. Oh yes, the bad guys do have their own assessment processes. In any good IT Governance Program, a vulnerability assessment is essential. This applies not only to us good guys, but also to the attackers, who want to know what other schemes the victim is susceptible to. They might not have yet dreamed up the schemes, but they might as well start collecting vulnerability information. After all, it’s an important part of any asset management program, and the attacker now owns both the user’s computer and the user’s mobile device.
These assets have value, so the attacker is careful to protect them. The _44778xxxxxxx code could easily be authentication credentials into the malware’s database, stored on the user’s mobile device of course. In other words, if the victim gets testy and starts to download an antivirus application to the mobile device, Zitmo has intrusion detection capabilities (warped as they are) that look for this sort of thing. The attacker might as well just log in using _44778xxxxxxx as the login credentials, lock the user out for a few minutes (the user won’t suspect a thing, but might complain that his/her cell phone works just like a Windows laptop), and disable the anti-virus application.
Not only does Zitmo illustrate potential threats to what have been considered strong controls, Zeus is the perfect example of how the bad guys are using best practices . . . . what we call SDLC Controls . . . in the design of their application. They practice all the hallmarks of good IT Governance, including access management practices through business continuity, training, and license management.
Take a look at the print-screen to the left, showing an options screen in the Zeus application. You can see by this screen that the application has good security controls, allows for reporting, and gives the attacker the ability to encrypt data, set timeouts, and choose which Botnets to attack from. There is also a copyright date established at the bottom of the screen. I’ll bet The Zeus Group enforces its copyrights a little more stringently than the Business Software Alliance. License Management is an important process in any IT Governance program, and I’m sure this license comes with teeth (or bullets).
Zeus has been used to conduct reconnaissance, scan ports, set up man-in-the-middle attacks, design phishing expeditions, and orchestrate drive-by attack websites. Though the application’s user interface is written in English, you’ll need to understand Russian if you need help. Any good application is going to come with good documentation, but I personally can’t tell how well written the help menu is in this application, because it is written in Russian. (See print-screen to the lower right.) The reason for this? Who knows. I would like to think it’s because the IT Governance program maintained by The Zeus Group is a strong one, and thus includes a threat analysis.
If I were the ISO of The Zeus Group, I would be making the management team aware that the majority of my customers are Russian, and the majority of my “threats” are English. And thus the Russian help menu. It’s just a theory I have. But hey, when I see good SDLC controls in place, as an auditor I start to assume that you have good controls in place all around your information system. (Are you getting a hint here?)
Seriously, I’ve seen other print screens from Zeus applications that are in Spanish, and I’ve heard of them being in other languages. The Zeus Group knows their market. They believe in the global economy, and are very grateful to us all for developing it. They seem to have found themselves at the right hacker convention at the right time. And they’re rich. They believe in an ironically high level of professionalism, and are into social networking.
The more I study the practices of The Zeus Group, the more impressed I am by their use of IT Governance Practices. They are certainly well-staffed, and definitely practice the often-difficult controls related to “segregation of duties.” As an auditor, I see these segregation controls as a security issue . . . . keeping the fox from watching the hen house. But as an auditor of small banks, I also see segregation as a way to assure more time in the ISO’s day. I know this is not supposed to be a good reason for segregation, but I’ve seen so many ISO’s distracted by the duties of network administration that I believe firmly in its application as much in smaller institutions as in larger ones, like The Zeus Group.
As an auditor, I would say The Zeus Group’s methods rank between Satisfactory and Excellent. They warrant a 2, possibly a 1, in examiner parlance. (Of course, I can tell you right now they warrant a 1, but since I haven’t examined them, I have to threaten them with the 2.)
Banks already know they must take seriously the global attack vector. Their risk assessments exude the “orchestrated attack” as the thought that keeps them up at night. Like us all, they fight the fight against malware, placing much emphasis on assurance, in the hopes that they’re getting it all. They train their employees on an annual and ongoing basis. And they prepare incident response plans because they know they cannot prevent against 100% of the ways threats can exploit vulnerabilities to create a negative impact.
I think the biggest moral of this story is that Information Security is a process, not a “to-do.” Those of us who are upset because we thought two-factor authentication was going to make us “secure” do not understand the cyclical nature of Information Security. So moral number one: It’s a continuous improvement process.
But this story has many other morals. Attack vectors are now orchestrated . . . . combining many different methods and spread over a long period of time. Worse: if the bad guys are using IT Governance best practices, shouldn’t we? And finally, the bad guys are smart, organized, and motivated. They have good tools. They pay well. They enforce policies.
We must rise to the challenge. We must continually stay ahead of them. We must ask some uncomfortable questions:
1) Do we train our Information Security Officers as well as the bad guys train their ISO’s?
2) Does our compensation structure reflect the fact that Information Security Officer’s are extremely valuable members of the team?
3) Do we properly segregate duties and limit the number of hats our ISO’s wear?
It’s easy for an auditor like me to write “IT Governance Framework” and “SDLC Controls” in an article and, yes, in an audit report. And I used to feel a bit guilty when I wrote “segregation.” But do we grant the time necessary to combat Orchestrated Attacks executed by motivated, well-trained employees using well-designed software like Zitmo and Zeus?
There is a real business case to acquire and use Zitmo. It’s an unethical business case, yes. But what is the business case for your Information Security Officer? The question I hear way too often, which is probably the cause of the guilt I alluded to above, is “Do we really need to segregate the ISO from Network Administration?”
Maybe a better way to put the question would be like this: Would we arm security guards with a squirt gun, and then require that they work the teller line when they are not brandishing the squirt gun?
Dan Hadaway CRISC, CISA, CISM
Managing Partner, infotex